When people explore vast uncharted seas of the world wide web to find the content of their choice, they need to be aware, as dangers are hiding underneath of surface. For many, the statement that the internet is not a safe place comes as no surprise, but when it comes to phishing (which is a form of scam) being just careful may not always be enough.
What is phishing?
Term "phishing", also recognised as “brand spoofing” or “carding”, is a type of the online scam where users are tricked into believing that they are interacting with the legitimate source (website, brand, official authority, etc.). In reality, the phisher (the scammer), is pretending to be a trusted source, to exploit the user in many ways, but mainly to cause financial harm.
What it looks like?
A typical example of the phishing is an email pretending to be sent from a financial institution, asking from the recipient for their credentials and password, or credit card number and security code to verify something.
Email like that is at least little suspicious purely because of its nature. You may even ask yourself, who would actually believe that a bank needs your credit card information or password. And you are not wrong, many people would recognise the potential danger, but phishing is playing the numbers game, operating on a large scale. That how it got its name.
“Phishing” sounds very similar to the word “fishing”, and that is not by accident. As with fishing, to catch a single fish, the hook with bait must be thrown into the lake with tens or hundreds of fish. Phishers are not very different. They are targeting thousands and thousands of people just to find some that would get caught on the hook. The principle is the same.
Not a new threat
In the book Phishing Exposed, authors summarised the beginning of the phishing.
In the early days of the internet, one of the first phishing programs was developed to exploit users of AOL (America Online) in 1995. The phishing software pretended to be America Online administrator explaining the ongoing problem with the billing process, therefore the credit card information needed to be renewed. Due to the small online population, this method was very effective. Internet, after all, was a brand-new thing for the most.
The real surge of phishing emails happened in 2003 when clients of major US financial institutes were hit. It didn’t result from highly skilled scammer geniuses, who developed sophisticated tools to commit the criminal master plan because the tools were quite accessible for anyone as phishing is built on the same principle as spam emails. The only activity required for scammers was to make emails look as legitimate as possible and borrow one of the available spam software. The human factor was the one, firewalls and antiviruses couldn’t influence.
The Computing Technology Industry Association reported that between May of 2014 and 2015, phishing caused losses valued at nearly $930 millions of dollars in the US alone. It was clear that phishing is here to stay.
What is the reality of phishing? Here are some statistics from various sources.
- 165,772 reported phishing websites online in Q1/2020
- 85% of the phishing sites are tested positively by a trusted Certificate Authority (represented by the green lock in the web browser)
- The most prominent targets of phishing are SaaS (software as service – i.e., Google Apps or Dropbox) and email clients, financial institutions and payment sector
- Google currently blocks 100 million phishing emails every day, 18 millions of them are COVID-19 related scams
- 65% of US organisations fall victim in 2019 to a phishing attack
- Apple is the most mimicked brand for phishing in the world, followed by Netflix and PayPal
- Facebook is the most faked website in the world
- On average, 1 in 99 emails is a phishing attack, which means for an average employee nearly five phishing attacks per week
Types of phishing
Phishing can be divided into multiple categories.
By the target
1. Everyone – pretty self-explanatory and most common type of phishing.
The goal is to reach as much population as possible, by usually mimicking the famous brand such as Apple or Google. An only tiny percentage will respond and risks theft of personal information or insert the malware (software allowing unauthorised access to the system).
2. Specific group – phishers focus on particular groups, such as clients of the institutions or people inside the organisation.
Phishers pretend to be in a relationship with the group. For example, the phisher can impersonate a supplier and send a fake invoice to the targeted company. The goal is to cause financial harm or gain access to organisational systems to further exploits the partners of the institution.
3. Individuals – also called “spear phishing”, focuses on a specific person, usually managers, system administrators or even famous people.
It requires a large amount of preparation, research and skills. The goal is to gain access to personal information and accounts that could hold content of value or cause severe financial damage.
Creators of Star Wars claimed that they were scared of leaks of an upcoming movie, so they decided to write the script on a laptop without access to the internet to prevent one. That shows, even the company with billions in revenue, which can afford a high level of online security, is afraid of content theft through the exploitation of human factor in the form of phishing.
1. Mobile – the fake call or text message.
For example, text message or call from a financial institution that someone is trying to use the user’s credit card, and user needs to provide credit card details to verify the owner of the card.
2. Email – an email sent to a user inbox.
For example, an email that says the user won something, and they just need to pay for postage.
3. Web – during browsing on the internet, user can encounter phishing website that would be mimicking the real site.
For example, a user is searching for clothing and finds the website that offers clothing from the premium brand with a massive sale, urging that user to purchase immediately because the offer will expire soon, stealing the credit card details in progress. Or fake Facebook website can trick users to login while recording their data and passwords.
Read more: Data protection - Are passwords obsolete?
4. Social media – users receive a notification or a direct message that someone mentioned them in a post/ tweet, in order to redirect him to the fake website.
Similar to the example above, the user can be mentioned in a post promoting the sale of the specific brand. After clicking on the post, the user is redirected outside of the normal social site to a phishing platform.
It is easy to get "phished". But some universal rules may help protect yourself from the potential harm.
1. Never share any personal and financial information or login details
This is the Internet universal rule number one.
The disclaimer at the end of every email coming from the official channel is there to reinforce users that the organisation doesn’t need to know your password or card information to operate successfully.
If someone, even trustworthy, asks for the personal credentials, the approach must always be critical and cautious.
2. Do not communicate outside of the official channel
Organisations spend massive amounts on providing quality websites or apps, not only to create a pleasant user experience but also to create safe space.
Phishers always want to get the users to their platform. They will use phrases like “respond to this email” or “click only on this link”, they don’t want users to go and check the app or official website.
Imagine setting up the PayPal account, and receive an email notification about the ongoing transaction, that never been made. Rather than follow the email communication, log back to the app or website and check the status of the account. If you have questions, contact the official support.
3. Pressure and sense of urgency
Phishing messages always create a sense of urgency and pressure user to act quick.
A typical example is a message from financial institution claiming that someone is trying to use the credit card, and verification is needed from the owner of the account to prevent the unauthorised transaction. The idea is that fear of financial loss will cloud one’s mind, and they will reply without hesitation. Ironically, they just put themselves in a dangerous situation.
Always take time and verify the legitimacy of the message. Do not make decisions hastily.
The same applies to unbelievable sales offers, and if it is too good to be true, it probably isn’t.
4. Suspicious sources
Several signals can give away clues that the sender is not a legitimate authority.
Such as spelling mistakes or the use of symbols in the body of email address. If the message is from “Facebok@yahho.net” or “email@example.com”, it is not a legitimate sender.
The URL of the link in the message is another point to look at. Usually, links from official authority are simple and straightforward. For comparison, first is the link for restoring forgotten password for Apple ID, and the second is one we made up ourselves.
Which one makes you more suspicious?
If the URL address has nonsensical words, letters and numbers, or looks different from previous links, it should be at least questionable.
Sometimes phishers are more sophisticated, and they use short versions of the URL addresses to hide the full address. We shorten the link to one of our blogs, to demonstrate. First is the regular version, and a third-party website is used to shortens second.
It is easy to hide the full address, but once clicked on the shortened URL, the real URL will show in the web browser.
This blog post covers an introduction to the topic of phishing, and as with everything digital, it is continually evolving. To gain even more insights and safely protect yourself or your company's online presence, subscribe to TRG blog to learn more.